new: [exercises] Added scamcall exercise and fixed basic-event-creation

This commit is contained in:
Sami Mokaddem 2024-07-02 11:39:45 +02:00
parent 4529017748
commit 29ef580dad
6 changed files with 607 additions and 52 deletions

View file

@ -0,0 +1 @@
../exercises/ransomware-encoding.json

View file

@ -1 +0,0 @@
../exercises/ransomware-exercise.json

View file

@ -0,0 +1 @@
../exercises/scam-call-encoding.json

View file

@ -177,21 +177,26 @@
} }
}, },
{ {
".Event.Attribute": { "[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"ip-dst\")).value": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
{ "4.3.2.1"
"type": "ip-dst", ]
"value": "1.2.3.4"
},
{
"type": "domain",
"value": "evil.com"
},
{
"type": "filename",
"value": "evil.exe"
} }
},
{
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"domain\")).value": {
"comparison": "contains",
"values": [
"evil.com"
]
}
},
{
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"filename\")).value": {
"comparison": "contains",
"values": [
"evil.exe"
] ]
} }
} }
@ -226,13 +231,10 @@
} }
}, },
{ {
".Event.Object": { ".Event.Object[] | select(.name == \"domain-ip\")": {
"comparison": "contains", "comparison": "count",
"values": [ "values": [
{ ">0"
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734"
}
] ]
} }
} }
@ -259,21 +261,26 @@
} }
}, },
{ {
".Event.Object[name=\"domain-ip\"].Attribute": { ".Event.Object[] | select(.name == \"domain-ip\") | .Attribute[] | select((.type == \"ip\")).value": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
{ "4.3.2.1"
"object_relation": "ip", ]
"value": "4.3.2.1"
},
{
"object_relation": "domain",
"value": "foobar.baz"
},
{
"object_relation": "text",
"value": "Classified information"
} }
},
{
".Event.Object[] | select(.name == \"domain-ip\") | .Attribute[] | select((.type == \"domain\")).value": {
"comparison": "contains",
"values": [
"foobar.baz"
]
}
},
{
".Event.Object[] | select(.name == \"domain-ip\") | .Attribute[] | select((.type == \"text\")).value": {
"comparison": "contains",
"values": [
"Classified information"
] ]
} }
} }
@ -308,14 +315,10 @@
} }
}, },
{ {
".Event.Attribute": { ".Event.Attribute[] | select((.type == \"ip-dst\") and (.value == \"1.2.3.4\")).distribution": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
{ 0
"type": "ip-dst",
"value": "1.2.3.4",
"distribution": 0
}
] ]
} }
} }
@ -350,25 +353,18 @@
} }
}, },
{ {
".Event.Attribute": { ".Event.Attribute[] | select((.type == \"ip-dst\") and (.value == \"1.2.3.4\")).distribution": {
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
{ 0
"type": "ip-dst",
"value": "1.2.3.4",
"distribution": 0
}
] ]
} }
}, },
{ {
".Event.Attribute[value=\"1.2.3.4\"].Tag": { ".Event.Attribute[] | select((.type == \"ip-dst\") and (.value == \"1.2.3.4\")).Tag[].name": {
"JQ": "jq '.Event.Attribute[] | select(.value == \"1.2.3.4\") | .Tag'",
"comparison": "contains", "comparison": "contains",
"values": [ "values": [
{ "tlp:green"
"name": "tlp:green"
}
] ]
} }
} }

View file

@ -4,8 +4,8 @@
"expanded": "MISP Encoding Exercise : Ransomware infection via e-mail", "expanded": "MISP Encoding Exercise : Ransomware infection via e-mail",
"meta": { "meta": {
"author": "MISP Project", "author": "MISP Project",
"level": "beginner", "level": "advanced",
"priority": 0 "priority": 10
}, },
"name": "MISP Encoding Exercise : Ransomware infection via e-mail", "name": "MISP Encoding Exercise : Ransomware infection via e-mail",
"namespace": "data-model", "namespace": "data-model",

View file

@ -0,0 +1,558 @@
{
"exercise": {
"description": "MISP Encoding Exercise : Scam Call",
"expanded": "MISP Encoding Exercise : Scam Call",
"meta": {
"author": "MISP Project",
"level": "beginner",
"priority": 5
},
"name": "MISP Encoding Exercise : Scam Call",
"namespace": "data-model",
"tags": [
"exercise:software-scope=\"misp\"",
"state:production"
],
"total_duration": "7200",
"uuid": "6c61b3a5-a760-4bac-be23-de97af397c2f",
"version": "20240702"
},
"inject_flow": [
{
"description": "event-creation",
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd",
"reporting_callback": [],
"requirements": {},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
"startex"
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "IP-address",
"inject_uuid": "cdf465dc-a859-43ed-b782-510427cfb451",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "malicious-payload",
"inject_uuid": "79c8a538-28de-4edf-b0e2-253c59cbb973",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "Download URL",
"inject_uuid": "60c6cfcc-99be-4b98-9eb7-e0a3e77bb449",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "IBAN Number",
"inject_uuid": "ab32278b-a8e4-4539-8c1b-f262a2706ca8",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "Phone Number",
"inject_uuid": "ee4a684e-2648-419a-bd65-29ab219660c4",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "Person",
"inject_uuid": "14d11e1b-6609-47d5-9867-91996f432f34",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "Contextualization",
"inject_uuid": "4c242d49-fcf7-4c76-974b-6d5983c0eff9",
"reporting_callback": [],
"requirements": {
"inject_uuid": ""
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
},
{
"description": "Published",
"inject_uuid": "68cc60ff-e659-4589-88e5-7490fa4e1dfa",
"reporting_callback": [],
"requirements": {
"inject_uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
"sequence": {
"completion_trigger": [
"time_expiration",
"completion"
],
"followed_by": [
],
"trigger": [
]
},
"timing": {
"triggered_at": null
}
}
],
"inject_payloads": [
],
"injects": [
{
"action": "event-creation",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
}
],
"result": "MISP Event created",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
10
]
}
],
"name": "Event Creation",
"target_tool": "MISP",
"uuid": "de9f4c9b-dc97-4e84-85f3-859f30d3a3cd"
},
{
"action": "ip-address",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select(.value == \"194.78.89.250\").to_ids": {
"extract_type": "all",
"comparison": "contains",
"values": [
true,
1
]
}
}
],
"result": "IP Address added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "IP Address",
"target_tool": "MISP",
"uuid": "cdf465dc-a859-43ed-b782-510427cfb451"
},
{
"action": "malware-sample",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
".Event.Object[].Attribute[] | select((.type == \"sha1\")).value": {
"extract_type": "all",
"comparison": "equals",
"values": [
"04d496d39bc9409bfdabdeb07002b97093b58f77"
]
}
}
],
"result": "Malware sample added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Malware sample",
"target_tool": "MISP",
"uuid": "79c8a538-28de-4edf-b0e2-253c59cbb973"
},
{
"action": "url",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
".Event.Object[].Attribute[] | select((.type == \"url\")).value": {
"extract_type": "all",
"comparison": "equals",
"values": [
"https://zdgyot.ugic0k.ru/assets/bin.exe"
]
}
},
{
".Event.Object[].Attribute[] | select((.type == \"domain\")).value": {
"extract_type": "all",
"comparison": "equals",
"values": [
"zdgyot.ugic0k.ru"
]
}
}
],
"result": "Download URL added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Download URL",
"target_tool": "MISP",
"uuid": "60c6cfcc-99be-4b98-9eb7-e0a3e77bb449"
},
{
"action": "iban",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"iban\")).value": {
"extract_type": "all",
"comparison": "contains",
"values": [
"GB29NWBK60161331926819"
]
}
}
],
"result": "IBAN Number added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "IBAN Number",
"target_tool": "MISP",
"uuid": "ab32278b-a8e4-4539-8c1b-f262a2706ca8"
},
{
"action": "phone",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
"[.Event.Object[].Attribute[], .Event.Attribute[]] | .[] | select((.type == \"phone-number\")).value": {
"extract_type": "all",
"comparison": "contains-regex",
"values": [
"\\+?12243359185"
]
}
}
],
"result": "Phone Number added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Phone Number",
"target_tool": "MISP",
"uuid": "ee4a684e-2648-419a-bd65-29ab219660c4"
},
{
"action": "person",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
".Event.Object[] | select((.name == \"domain-ip\")).distribution": {
"comparison": "contains",
"values": [
"0",
"1",
"4"
]
}
}
],
"result": "Person added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Person",
"target_tool": "MISP",
"uuid": "14d11e1b-6609-47d5-9867-91996f432f34"
},
{
"action": "context",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
".Event.Tag | select(length > 0) | .[].name": {
"extract_type": "all",
"comparison": "count",
"values": [
">=3"
]
}
}
],
"result": "Context added",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Contextualization",
"target_tool": "MISP",
"uuid": "4c242d49-fcf7-4c76-974b-6d5983c0eff9"
},
{
"action": "published",
"inject_evaluation": [
{
"parameters": [
{
".Event.info": {
"comparison": "contains",
"values": [
"scam",
"call"
]
}
},
{
".Event.published": {
"comparison": "equals",
"values": [
"1"
]
}
}
],
"result": "Event published",
"evaluation_strategy": "data_filtering",
"evaluation_context": {
},
"score_range": [
0,
20
]
}
],
"name": "Published",
"target_tool": "MISP",
"uuid": "68cc60ff-e659-4589-88e5-7490fa4e1dfa"
}
]
}